Interest in other signature libs/tools?

Jeremy Huntwork jeremy at merelinux.org
Sat Dec 25 13:53:57 UTC 2021


On Thu, Dec 23, 2021 at 11:34 PM Allan McRae <allan at archlinux.org> wrote:
>
> I'm not a fan of the idea that if a user has a handful of non-distro
> repositories configured, that every package signature would need checked
> against multiple keys until one passed.  Is there no way of identifying
> the correct signing key from the signature file?
>

Yeah, I believe there is. Here's the contents of a generated public key:

asignify-pubkey:1:mtG16Izr+xQ=:FlDRmIlYxCG0QAm7Jjmf/im62EBfg2nCpwzGPpkq+30=

And here's the contents of the sig file made using the corresponding
private key:

asignify-sig:1:mtG16Izr+xQ=:txEF3fQ/gaBAVCi8WpDICWn9i7gqgfJXp/viJDQeeETfbZTheIXHitmXv9Z+RQO9dYQDkJ6AMZt/xTU1/lWlDQ==
BLAKE2 (test.c) =
f8222a69bb9672b76ad7cc8776902a4b5bdde47b64040cd6febe798df3c7545a1f86e1ae94898f63fe94e3cabb91cda359be6b12edddcccd95ef5fd965349600

So it looks like third field on the first line is a fingerprint for the key.

JH


More information about the pacman-dev mailing list